A critical flaw, currently unpatched remote code execution vulnerability (CVE-2026-25874) in HuggingFace’s LeRobot robotics framework allows any unauthenticated attacker with network access to execute arbitrary OS commands on a GPU server, no credentials, no exploit chain, no prior access required.
The flaw disclosed on April 22, 2026, after independently confirming it against the real lerobot==0.4.3 package on PyPI. With a CVSS 3.1 score of 9.8 and a CVSS 4.0 score of 9.3, the vulnerability affects all LeRobot versions through 0.5.1. It remains unpatched at the time of publication, with a fix tentatively tracked in the upcoming version 0.6.0.
LeRobot is HuggingFace’s open-source platform for real-world robotics powered by machine learning, with over 21,500 GitHub stars and growing adoption across the ML and robotics research communities.
HuggingFace LeRobot RCE Vulnerability
Its async inference module is the center of this vulnerability. It offloads computationally intensive policy computation to a dedicated GPU server, where a robot client sends camera observations and the PolicyServer Returns motor actions via gRPC.
The communication between the robot client and the PolicyServer is handled over Google’s gRPC framework using protobuf messages that carry raw bytes fields, and those raw bytes are serialized and deserialized using Python’s pickle module, a format well known for its arbitrary code execution risk when fed untrusted data.
The root cause is devastatingly simple: the PolicyServer calls pickle.loads() on attacker-controlled network data in two separate RPC handlers SendPolicyInstructions (line 127 of policy_server.py) and SendObservations (line 185) before performing any type validation.
Even more critically, the gRPC server is launched with add_insecure_port(), meaning there is no TLS encryption and no authentication layer of any kind.
The exploit flow requires just three steps:
- An attacker crafts a malicious Python object that overrides
__reduce__()to invokeos.system()with an arbitrary shell command - The payload is serialized with
pickle.dumps()and sent as raw bytes inside aPolicySetuporObservationprotobuf message - The
PolicyServercallspickle.loads()on receipt, triggering immediate OS-level command execution, the type validation check occurs after deserialization, making it entirely ineffective as a security control
What makes this particularly damning is the presence of # nosec comments in both vulnerable code paths, developer annotations used to suppress Bandit (Python security linter) warnings. The developers explicitly silenced automated security tooling that flagged pickle.loads() as dangerous and proceeded without any compensating controls.
Proof-of-concept, tested against a stock PyPI install with no modifications, confirmed full code execution via both vectors. The server returned StatusCode.UNKNOWN after execution because the deserialized int returned by os.system() failed the subsequent isinstance() check, but by that point, the command had already run.
Affected Scope and Attack
All LeRobot releases through version 0.5.1 are confirmed vulnerable. The async inference module was added to the codebase in September 2025 and has received no security patches since then. While the default server configuration binds to localhost:8080 The entire architecture is designed for network-exposed deployments.
PolicyServer is explicitly intended to run on a remote GPU machine, and the –host 0.0.0.0 flag is documented and supported, meaning real-world production deployments will bind to all interfaces by design. There are three exploitable gRPC calls in total: SendPolicyInstructions, SendObservations, and GetActions.
Adding to the urgency: this is not the first time LeRobot’s security has been flagged. A separate researcher privately reported a similar issue in December 2025 via GitHub’s Security Advisory tab and received no response from the vendor for weeks.
A LeRobot maintainer acknowledged the security risk on January 7, 2026, noting “that part of the codebase needs to be almost entirely refactored.” Still, no fix or CVE was issued at that time.
A prior CVE, CVE-2025-10772, covers a separate missing-authentication flaw in lekiwi_remote.py over ZeroMQ a sign of systemic security debt across the project’s network components.
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-25874 |
| CVSS 3.1 Score | 9.8 (Critical) |
| CVSS 4.0 Score | 9.3 (Critical) |
| Affected Versions | LeRobot ≤ 0.5.1 |
| Vulnerability Type | Unsafe Deserialization (CWE-502) |
| Attack Vector | Network (No Auth, No TLS) |
| Disclosed | April 22–23, 2026 |
| Patch Status | Unpatched (Fix planned in v0.6.0) |
HuggingFace’s Own Safetensors
The technical necessity pickle here is nonexistent. All fields in RemotePolicyConfig that the object Send Policy Instructions expects are simple strings, integers, and dicts that JSON or native protobuf fields could represent trivially.
The tensor data SendObservations could use safetensors or numpy serialization without any loss of functionality.The irony is sharp: HuggingFace itself created safetensors, a serialization format built explicitly because pickle it is dangerous for ML data.
The company’s own documentation and blog posts warn against using pickle for untrusted data. Yet, their own robotics framework ships pickle.loads() over an unauthenticated network socket, with #nosec comments to silence the warning.
Mitigation
Until a patched version is released, administrators running LeRobot’s async inference server should take these actions immediately:
- Firewall the gRPC port – restrict inbound access to the
PolicyServerport (default50051) to explicitly trusted source IPs only - Isolate the deployment – run LeRobot services inside containers with minimal OS privileges and no access to production credentials or API keys
- Rotate HuggingFace tokens – if the
PolicyServerThe host had access to HuggingFace API tokens or model repository credentials, rotate them immediately, and audit access logs - Monitor for the v0.6.0 patch – track GitHub PR #3048, which contains the planned fix, and upgrade as soon as it ships
FAQ
Q1: What is CVE-2026-25874?
CVE-2026-25874 is a critical unauthenticated RCE vulnerability in HuggingFace LeRobot’s gRPC PolicyServer, caused by unsafe pickle.loads() deserialization of attacker-controlled network data with a CVSS score of 9.8.
Q2: Which versions of LeRobot are affected by CVE-2026-25874?
All LeRobot releases through version 0.5.1 are confirmed vulnerable, and no official patch has been released as of April 2026.
Q3: Can CVE-2026-25874 be exploited without credentials?
Yes, the gRPC server uses add_insecure_port() with no TLS or authentication, meaning any attacker with network-level access to the port can send a malicious pickle payload and achieve immediate code execution.
Q4: What is the recommended fix for CVE-2026-25874?
Replace pickle with JSON or protobuf-native fields for config data, use safetensors for tensor serialization, and add TLS with gRPC interceptor-based token authentication to the PolicyServer.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.About the Author
